Vulnerabilidades

*** Pendiente de traducción *** Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netcad Software Inc. Netigma allows Stored XSS.This issue affects Netigma: from 6.3.3 before 6.3.5 V8.

*** Pendiente de traducción *** The Podlove Podcast Publisher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_as_original_file' function in all versions up to, and including, 4.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

*** Pendiente de traducción *** Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Iron Mountain Archiving Services Inc. EnVision allows Command Injection.This issue affects enVision: before 250563.

*** Pendiente de traducción *** A vulnerability was identified in Campcodes Society Membership Information System 1.0. This issue affects some unknown processing of the file /check_student.php. Such manipulation of the argument student_id leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.

*** Pendiente de traducción *** A security flaw has been discovered in Campcodes Gym Management System 1.0. Impacted is an unknown function of the file /ajax.php?action=login. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited.

*** Pendiente de traducción *** A vulnerability has been found in Portabilis i-Educar up to 2.10. Affected by this issue is some unknown functionality of the file /module/Cadastro/aluno. The manipulation of the argument is leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

*** Pendiente de traducción *** A vulnerability was found in Portabilis i-Educar up to 2.10. This affects an unknown part of the file /module/ComponenteCurricular/view. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.

*** Pendiente de traducción *** A vulnerability was determined in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /module/ComponenteCurricular/edit. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

*** Pendiente de traducción *** The CleverControl employee monitoring software (v11.5.1041.6) fails to validate TLS server certificates during the installation process. The installer downloads and executes external components using curl.exe --insecure, enabling a man-in-the-middle attacker to deliver malicious files that are executed with SYSTEM privileges. This can lead to full remote code execution with administrative rights. No patch is available as the vendor has been unresponsive. It is assumed that previous versions are also affected, but this is not confirmed.

*** Pendiente de traducción *** The SureForms WordPress plugin before 1.9.1 does not sanitise and escape some parameters when outputing them in the page, which could allow admin and above users to perform Cross-Site Scripting attacks.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory<br /> <br /> When I did memory failure tests, below panic occurs:<br /> <br /> page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))<br /> kernel BUG at include/linux/page-flags.h:616!<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40<br /> RIP: 0010:unpoison_memory+0x2f3/0x590<br /> RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246<br /> RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8<br /> RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0<br /> RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb<br /> R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000<br /> R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe<br /> FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0<br /> Call Trace:<br /> <br /> unpoison_memory+0x2f3/0x590<br /> simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110<br /> debugfs_attr_write+0x42/0x60<br /> full_proxy_write+0x5b/0x80<br /> vfs_write+0xd5/0x540<br /> ksys_write+0x64/0xe0<br /> do_syscall_64+0xb9/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f08f0314887<br /> RSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001<br /> RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887<br /> RDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001<br /> RBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009<br /> R13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00<br /> <br /> Modules linked in: hwpoison_inject<br /> ---[ end trace 0000000000000000 ]---<br /> RIP: 0010:unpoison_memory+0x2f3/0x590<br /> RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246<br /> RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8<br /> RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0<br /> RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb<br /> R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000<br /> R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe<br /> FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0<br /> Kernel panic - not syncing: Fatal exception<br /> Kernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)<br /> ---[ end Kernel panic - not syncing: Fatal exception ]---<br /> <br /> The root cause is that unpoison_memory() tries to check the PG_HWPoison<br /> flags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is<br /> triggered. This can be reproduced by below steps:<br /> <br /> 1.Offline memory block:<br /> <br /> echo offline &gt; /sys/devices/system/memory/memory12/state<br /> <br /> 2.Get offlined memory pfn:<br /> <br /> page-types -b n -rlN<br /> <br /> 3.Write pfn to unpoison-pfn<br /> <br /> echo &gt; /sys/kernel/debug/hwpoison/unpoison-pfn<br /> <br /> This scenario can be identified by pfn_to_online_page() returning NULL. <br /> And ZONE_DEVICE pages are never expected, so we can simply fail if<br /> pfn_to_online_page() == NULL to fix the bug.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix subvolume deletion lockup caused by inodes xarray race<br /> <br /> There is a race condition between inode eviction and inode caching that<br /> can cause a live struct btrfs_inode to be missing from the root-&gt;inodes<br /> xarray. Specifically, there is a window during evict() between the inode<br /> being unhashed and deleted from the xarray. If btrfs_iget() is called<br /> for the same inode in that window, it will be recreated and inserted<br /> into the xarray, but then eviction will delete the new entry, leaving<br /> nothing in the xarray:<br /> <br /> Thread 1 Thread 2<br /> ---------------------------------------------------------------<br /> evict()<br /> remove_inode_hash()<br /> btrfs_iget_path()<br /> btrfs_iget_locked()<br /> btrfs_read_locked_inode()<br /> btrfs_add_inode_to_root()<br /> destroy_inode()<br /> btrfs_destroy_inode()<br /> btrfs_del_inode_from_root()<br /> __xa_erase<br /> <br /> In turn, this can cause issues for subvolume deletion. Specifically, if<br /> an inode is in this lost state, and all other inodes are evicted, then<br /> btrfs_del_inode_from_root() will call btrfs_add_dead_root() prematurely.<br /> If the lost inode has a delayed_node attached to it, then when<br /> btrfs_clean_one_deleted_snapshot() calls btrfs_kill_all_delayed_nodes(),<br /> it will loop forever because the delayed_nodes xarray will never become<br /> empty (unless memory pressure forces the inode out). We saw this<br /> manifest as soft lockups in production.<br /> <br /> Fix it by only deleting the xarray entry if it matches the given inode<br /> (using __xa_cmpxchg()).